How is CVE-2026-39552 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress service via HTTP/HTTPS to attempt exploitation. Authentication (not-required): No account or session credential is needed; the vulnerable include path can be triggered by an unauthenticated HTTP request. Victim interaction (not-required): The attacker does not need to trick or involve any user; the request is sent directly to the server without any user action. Attack complexity (info): Exploitation is rated High complexity, meaning the attacker must account for specific environmental conditions or configurations, such as particular server path layouts or PHP settings, before the file inclusion succeeds reliably.

What is the impact of CVE-2026-39552?

A successful attacker can read arbitrary files on the server, including WordPress configuration files that contain database credentials and secret keys. The attacker can include and execute PHP code already present on the filesystem, leading to full remote code execution on the host. Database contents, user records, and stored session tokens become readable or modifiable once database credentials are exposed. Malicious execution on the server can crash PHP worker processes or exhaust system resources, disrupting service availability.

Back to search

HIGHCVE-2026-39552Published 2026-06-02Modified 2026-06-02CNA Patchstack

CVE-2026-39552: WordPress Blueprint theme < 1.1.5 - Local File Inclusion vulnerability

Q: What is CVE-2026-39552?

A Local File Inclusion (LFI) vulnerability exists in the Blueprint WordPress theme by Code Supply Co., affecting all versions before 1.1.5. The flaw is reachable over the network without any authentication, though exploitation requires overcoming certain environmental conditions, reflecting a High CVSS score of 8.1. A successful attacker can read sensitive files from the server, tamper with data, and potentially crash or fully compromise the affected host. A patched-image rebuild at version 1.1.5 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-39552 fixed?

A patched-image rebuild at Blueprint version 1.1.5 becomes available on HarborGuard once the fix version is confirmed against the upstream package registry. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Code Supply Co. Blueprint allows PHP Local File Inclusion. This issue affects Blueprint: from n/a before 1.1.5.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: 1.1.5
Affected Products: 1

HarborGuard Analysis

Synopsis

A Local File Inclusion (LFI) vulnerability exists in the Blueprint WordPress theme by Code Supply Co., affecting all versions before 1.1.5. The flaw is reachable over the network without any authentication, though exploitation requires overcoming certain environmental conditions, reflecting a High CVSS score of 8.1. A successful attacker can read sensitive files from the server, tamper with data, and potentially crash or fully compromise the affected host. A patched-image rebuild at version 1.1.5 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the Blueprint theme. Any image carrying Blueprint older than 1.1.5 is flagged automatically.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 8.1 (High) and weights it against each environment's compliance policy to determine urgency and routing. Triage alerts are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Blueprint version 1.1.5 becomes available on HarborGuard once the fix version is confirmed against the upstream package registry. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress service via HTTP/HTTPS to attempt exploitation.
AuthenticationNot required
No account or session credential is needed; the vulnerable include path can be triggered by an unauthenticated HTTP request.
Victim interactionNot required
The attacker does not need to trick or involve any user; the request is sent directly to the server without any user action.
Attack complexityDetail
Exploitation is rated High complexity, meaning the attacker must account for specific environmental conditions or configurations, such as particular server path layouts or PHP settings, before the file inclusion succeeds reliably.

Blast Radius

A successful attacker can read arbitrary files on the server, including WordPress configuration files that contain database credentials and secret keys.
The attacker can include and execute PHP code already present on the filesystem, leading to full remote code execution on the host.
Database contents, user records, and stored session tokens become readable or modifiable once database credentials are exposed.
Malicious execution on the server can crash PHP worker processes or exhaust system resources, disrupting service availability.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-39552 is active against all scanned images the moment the advisory is ingested, with no manual configuration required. For environments running Blueprint below 1.1.5, a rebuild at the patched version is available as soon as the upstream package is confirmed. Customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. For customers who have not enabled auto-remediation, the triage alert is routed to the configured owner inbox with the CVSS 8.1 High severity and remediation guidance attached. Where compliance policy requires additional review before merge, the PR sits in a pending state until approved, so no change is applied without explicit sign-off.

See how HarborGuard automates this

Fix available

1.1.5

Affected packages

Code Supply Co. / Blueprint
< 1.1.5 (from n/a)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available